Rogue Cloud Software: An IT Problem Beyond a Shadow of a Doubt

The use of cloud software is at an all time high— on average, large enterprises use over 1,427 different cloud services. Many of these services are often inconspicuously used by employees attempting to bypass the traditional purchasing process or the departmental budget approval process for buying new software.

These “shadow IT” services are inexpensive for departments to use on a single user license basis, and the uptick in their use proves this. According to McAfee, 80% of workers have admitted to using software as a service (SaaS) applications without IT approval. These tools frequently become an inextricable part of operations, but, while using them can increase productivity, they also leave company data vulnerable to cyberattacks. Often, IT departments blindsided by such attacks don’t become aware of these third party applications until the attack occurs. Gartner predicts that, come 2020, one third of all successful attacks on enterprise technology will be on shadow IT resources.

But, how should companies balance end user demands for new tools with the need to allocate budgets and protect intellectual property (IP)?

The answer lies in establishing a culture of acceptance when making use of cloud services, and then setting boundaries to protect IP. Below are five steps companies can take to advance employee innovation and shield IT environments from cyber threats.

  1. Develop IT governance policies that include the use of personal devices or cloud software and define specific limits for which types of technology are acceptable. Emphasize that employees should use their best judgement.
  2. Establish active monitoring of IT systems, or make use of Cybersecurity as a Service (CSaaS) from a third-party provider, to continuously monitor IT environments and minimize risks.
  3. Mandate encryption of sensitive data. If sensitive information is being shared within cloud software, be sure employees understand that they must encrypt data.
  4. Maintain change management policies that account for when employees leave the company and when it’s time to revoke their network access.
  5. Conduct annual vulnerability and risk assessments to gain visibility into risks created by cloud software and establish a risk tolerance level for shadow IT software.